New study reveals that none of the top 10 US university computer science and engineering program degrees requires students take a cybersecurity course.

There’s the cybersecurity skills gap, but a new study shows there’s also a major cybersecurity education gap — in the top US undergraduate computer science and engineering programs.

An analysis of the top 121 US university computer science and engineering programs found that none of the top 10 requires students take a cybersecurity class for their degree in computer science, and three of the top 10 don’t offer any cybersecurity courses at all. The higher-education gap in cybersecurity comes amid the backdrop of some 200,000 unfilled IT security jobs in the US, and an increasing sense of urgency for organizations to hire security talent as cybercrime and cyber espionage threats escalate.

Robert Thomas, CEO of CloudPassage, whose company conducted the study, says the security gap in traditional computer science programs is worrisome, albeit not too surprising. “The results were pretty profound,” Thomas says. “When we tested the top universities’ computer science degrees, it was disturbing to find that very few require any kind of cybersecurity [instruction] as part of the curriculum to graduate” with a computer science degree, he says.

With IT security departments scrambling to fill positions, Thomas says CloudPassage wanted to gauge how universities are preparing computer science graduates for the cybersecurity job market. “Universities have a responsibility to start moving … to [address] bigger problems in security,” he says.

Graduate-level cybersecurity programs are emerging, such as those of Carnegie Mellon, the University of Maryland-Baltimore County, and the University of South Florida, but the study was focused on undergrad computer science programs and their integration with cybersecurity. The universities in the study were based on rankings from US News & World Report, Business Insider, and QS World of the top schools in the field.

The University of Michigan, which is ranked 12th among US computer science programs by US News & World Report, is the only university in the top 36 that requires computer science students take a cybersecurity course, CloudPassage’s study found. Among the top 10, there are three universities that don’t offer cybersecurity courses as electives, either.

Michigan (#11 in Business Insider’s Top 50 US computer science schools), Brigham Young (#48 in that rankings list), and Colorado State (#49), are the only top comp sci programs that require at least one cybersecurity class for a degree.

Among the universities in the study offering the most cybersecurity electives in their computer science programs are Rochester Institute of Technology (10 security elective courses) which is in the top 50 of Business Insider’s list; Tuskegee University (10); DePaul University (9); University of Maryland (8); University of Houston (7); Pace University (6); California Polytechnic State University (5); Cornell University (5); Harvard University (5); and Johns Hopkins University (5).

Meanwhile, the University of Alabama, which is not ranked in either the US News & World Report nor Business Insider as a top comp sci program, was the only university that requires three or more cybersecurity courses, the study found.

A lack of awareness about cybersecurity among college-age students is another element of the education-gap equation. A recent study by Raytheon and the National Cyber Security Alliance found that millennials worldwide just aren’t entering the cybersecurity field, mainly due to lack of awareness of just what security careers entail. Half of women ages 18- to 26 say they don’t have cybersecurity programs and activities available to them, and 40% of men in that age bracket say the same. Nearly half of millennial men aren’t aware of what cybersecurity jobs entail.

ISC2, a nonprofit that offers cybersecurity certifications, has tracked the lack of higher-education programs in cybersecurity. Over the past two years, ISC2 via its International Academic Program has offered cybersecurity classroom materials and other services for colleges to use in their curriculum, as well as for faculty training. The goal of the program is to beef up cybersecurity content in the curriculum.

“If you look across the total number of colleges, a very small percentage have a cybersecurity curriculum,” says David Shearer, CEO of ISC2. “Many have not had the money or time or skills to develop cybersecurity programs.”

Shearer says ISC2 is working to fill those gaps with its academic outreach program. “If there’s not a formal education for kids once they get to universities, we [the US] haven’t accomplished a whole lot,” he says.

Aside from the top computer science programs not offering or requiring cybersecurity courses, many computer science graduates just aren’t aware of the opportunities in the cybersecurity field. Many are drawn to computer science because they’re interested in writing new applications to solve problems in their areas of interest. Coding is considered “cool,” security experts say, while security is seen as a hindrance to application development, for example.

ISC2’s Shearer says cybersecurity gets a bad rap sometimes in application development, and security is seen as mainly about strong passwords and patches, for instance. “They don’t see it as exciting, intriguing work, but they should,” he says. “With greater awareness and education in this area [cybersecurity], today’s youth could see things like hacking as an interesting area they’d want to learn about.”

CloudPassage, meanwhile, also is reaching out to universities: it announced today that it will offer free CloudPassage Halo security-as-a-service platform accounts to US computer science programs as well as instructional templates, tutorials, and support. “They can use our infrastructure and products as an illustration, to get some experience,” CloudPassage’s Thomas says.